<!DOCTYPE html>
<html>

<head>
  <title>Quarkus - Quarkus Extension for Spring Security API</title>
  <script id="adobe_dtm" src="https://www.redhat.com/dtm.js" type="text/javascript"></script>
  <script src="/assets/javascript/highlight.pack.js" type="text/javascript"></script>
  <META HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'none'; script-src 'self' 'unsafe-eval' 'sha256-ANpuoVzuSex6VhqpYgsG25OHWVA1I+F6aGU04LoI+5s=' 'sha256-ipy9P/3rZZW06mTLAR0EnXvxSNcnfSDPLDuh3kzbB1w=' js.bizographics.com https://www.redhat.com assets.adobedtm.com jsonip.com https://ajax.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://use.fontawesome.com; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self' *; media-src 'self' ; frame-src https://www.googletagmanager.com https://www.youtube.com; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;">
  <META HTTP-EQUIV='X-Frame-Options' CONTENT="DENY">
  <META HTTP-EQUIV='X-XSS-Protection' CONTENT="1; mode=block">
  <META HTTP-EQUIV='X-Content-Type-Options' CONTENT="nosniff">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="description" content="Quarkus: Supersonic Subatomic Java">
  <meta name="twitter:card" content="summary_large_image">
  <meta name="twitter:site" content="@QuarkusIO"> 
  <meta name="twitter:creator" content="@QuarkusIO">
  <meta property="og:url" content="https://quarkus.io/guides/spring-security" />
  <meta property="og:title" content="Quarkus - Quarkus Extension for Spring Security API" />
  <meta property="og:description" content="Quarkus: Supersonic Subatomic Java" />
  <meta property="og:image" content="/assets/images/quarkus_card.png" />
  <link rel="canonical" href="https://quarkus.io/guides/spring-security">
  <link rel="shortcut icon" type="image/png" href="/favicon.ico" >
  <link rel="stylesheet" href="https://quarkus.io/guides/stylesheet/config.css" />
  <link rel="stylesheet" href="/assets/css/main.css" />
  <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
  <link rel="alternate" type="application/rss+xml"  href="https://quarkus.io/feed.xml" title="Quarkus">
  <script src="https://quarkus.io/assets/javascript/goan.js" type="text/javascript"></script>
  <script src="https://quarkus.io/assets/javascript/hl.js" type="text/javascript"></script>
</head>

<body class="guides">
  <!-- Google Tag Manager (noscript) -->
  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NJWS5L"
  height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
  <!-- End Google Tag Manager (noscript) -->

  <div class="nav-wrapper">
  <div class="grid-wrapper">
    <div class="width-12-12">
      <input type="checkbox" id="checkbox" />
      <nav id="main-nav" class="main-nav">
  <div class="container">
    <div class="logo-wrapper">
      
        <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_600px_reverse.png" class="project-logo" title="Quarkus"></a>
      
    </div>
    <label class="nav-toggle" for="checkbox">
      <i class="fa fa-bars"></i>
    </label>
    <div id="menu" class="menu">
      <span>
        <a href="/get-started/" class="">Get Started</a>
      </span>
      <span>
        <a href="/guides/" class="active">Guides</a>
      </span>
      <span>
        <a href="/community/" class="">Community</a>
      </span>
      <span>
        <a href="/support/" class="">Support</a>
      </span>
      <span>
        <a href="/blog/" class="">Blog</a>
      </span>
      <span>
        <a href="https://code.quarkus.io" class="button-cta secondary white">Start Coding</a>
      </span>
    </div>
  </div>
      </nav>
    </div>
  </div>
</div>

  <div class="content">
    <div class="guide">
  <div class="width-12-12">
    <h1 class="text-caps">Quarkus - Quarkus Extension for Spring Security API</h1>
    <div class="hide-mobile toc"><ul class="sectlevel1">
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#solution">Solution</a></li>
<li><a href="#creating-the-maven-project">Creating the Maven project</a></li>
<li><a href="#greetingcontroller">GreetingController</a></li>
<li><a href="#greetingcontrollertest">GreetingControllerTest</a></li>
<li><a href="#package-and-run-the-application">Package and run the application</a></li>
<li><a href="#modify-the-controller-to-secure-the-hello-method">Modify the controller to secure the <code>hello</code> method</a></li>
<li><a href="#greetingcontrollertest-2">GreetingControllerTest</a></li>
<li><a href="#test-the-changes">Test the changes</a></li>
<li><a href="#run-the-application-as-a-native-executable">Run the application as a native executable</a></li>
<li><a href="#supported-spring-security-functionalities">Supported Spring Security functionalities</a>
<ul class="sectlevel2">
<li><a href="#annotations">Annotations</a></li>
</ul>
</li>
<li><a href="#important-technical-note">Important Technical Note</a></li>
<li><a href="#conversion-table">Conversion Table</a></li>
<li><a href="#more-spring-guides">More Spring guides</a></li>
</ul></div>
    <div>
      <div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>While users are encouraged to use <a href="security#standard-security-annotations">Java standard annotations for security authorizations</a>, Quarkus provides a compatibility layer for Spring Security in the form of the <code>spring-security</code> extension.</p>
</div>
<div class="paragraph">
<p>This guide explains how a Quarkus application can leverage the well known Spring Security annotations to define authorizations on RESTful services using roles.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>This technology is considered preview.</p>
</div>
<div class="paragraph">
<p>In <em>preview</em>, backward compatibility and presence in the ecosystem is not guaranteed.
Specific improvements might require to change configuration or APIs and plans to become <em>stable</em> are under way.
Feedback is welcome on our <a href="https://groups.google.com/d/forum/quarkus-dev">mailing list</a> or as issues in our <a href="https://github.com/quarkusio/quarkus/issues">GitHub issue tracker</a>.</p>
</div>
<div class="paragraph">
<p>For a full list of possible extension statuses, check our <a href="https://quarkus.io/faq/#extension-status">FAQ entry</a>.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="prerequisites"><a class="anchor" href="#prerequisites"></a>Prerequisites</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To complete this guide, you need:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>less than 15 minutes</p>
</li>
<li>
<p>an IDE</p>
</li>
<li>
<p>JDK 1.8+ installed with <code>JAVA_HOME</code> configured appropriately</p>
</li>
<li>
<p>Apache Maven 3.6.2+</p>
</li>
<li>
<p>Some familiarity with the Spring Web extension</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="solution"><a class="anchor" href="#solution"></a>Solution</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We recommend that you follow the instructions in the next sections and create the application step by step.
However, you can go right to the completed example.</p>
</div>
<div class="paragraph">
<p>Clone the Git repository: <code>git clone <a href="https://github.com/quarkusio/quarkus-quickstarts.git" class="bare">https://github.com/quarkusio/quarkus-quickstarts.git</a></code>, or download an <a href="https://github.com/quarkusio/quarkus-quickstarts/archive/master.zip">archive</a>.</p>
</div>
<div class="paragraph">
<p>The solution is located in the <code>spring-security-quickstart</code> <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/spring-security-quickstart">directory</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="creating-the-maven-project"><a class="anchor" href="#creating-the-maven-project"></a>Creating the Maven project</h2>
<div class="sectionbody">
<div class="paragraph">
<p>First, we need a new project. Create a new project with the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="shell" class="language-shell hljs">mvn io.quarkus:quarkus-maven-plugin:1.7.0.Final:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=spring-security-quickstart \
    -DclassName="org.acme.spring.security.GreetingController" \
    -Dpath="/greeting" \
    -Dextensions="spring-web, spring-security, quarkus-elytron-security-properties-file"
cd spring-security-quickstart</code></pre>
</div>
</div>
<div class="paragraph">
<p>This command generates a Maven project with a REST endpoint and imports the <code>spring-web</code>, <code>spring-security</code> and <code>security-properties-file</code> extensions.</p>
</div>
<div class="paragraph">
<p>If you already have your Quarkus project configured, you can add the <code>spring-web</code>, <code>spring-security</code> and <code>security-properties-file</code> extensions
to your project by running the following command in your project base directory:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw quarkus:add-extension -Dextensions="spring-web, spring-security, quarkus-elytron-security-properties-file"</code></pre>
</div>
</div>
<div class="paragraph">
<p>This will add the following to your <code>pom.xml</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="xml" class="language-xml hljs">&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-spring-web&lt;/artifactId&gt;
&lt;/dependency&gt;
&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-spring-security&lt;/artifactId&gt;
&lt;/dependency&gt;
&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-elytron-security-properties-file&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>
</div>
</div>
<div class="paragraph">
<p>For more information about <code>security-properties-file</code>, you can check out the guide of the <a href="security-properties">quarkus-elytron-security-properties-file</a> extension.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="greetingcontroller"><a class="anchor" href="#greetingcontroller"></a>GreetingController</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The Quarkus Maven plugin automatically generated a controller with the Spring Web annotations to define our REST endpoint (instead of the JAX-RS ones used by default).
The <code>src/main/java/org/acme/spring/web/GreetingController.java</code> file looks as follows:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.spring.security;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.PathVariable;

@RestController
@RequestMapping("/greeting")
public class GreetingController {

    @GetMapping
    public String hello() {
        return "hello";
    }
}</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="greetingcontrollertest"><a class="anchor" href="#greetingcontrollertest"></a>GreetingControllerTest</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Note that a test for the controller has been created as well:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.spring.security;

import io.quarkus.test.junit.QuarkusTest;
import org.junit.jupiter.api.Test;

import static io.restassured.RestAssured.given;
import static org.hamcrest.CoreMatchers.is;

@QuarkusTest
public class GreetingControllerTest {

    @Test
    public void testHelloEndpoint() {
        given()
          .when().get("/greeting")
          .then()
             .statusCode(200)
             .body(is("hello"));
    }

}</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="package-and-run-the-application"><a class="anchor" href="#package-and-run-the-application"></a>Package and run the application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Run the application with: <code>./mvnw quarkus:dev</code>.
Open your browser to <a href="http://localhost:8080/greeting" class="bare">http://localhost:8080/greeting</a>.</p>
</div>
<div class="paragraph">
<p>The result should be: <code>{"message": "hello"}</code>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="modify-the-controller-to-secure-the-hello-method"><a class="anchor" href="#modify-the-controller-to-secure-the-hello-method"></a>Modify the controller to secure the <code>hello</code> method</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In order to restrict access to the <code>hello</code> method to users with certain roles, the <code>@Secured</code> annotation will be utilized.
The updated controller will be:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.spring.security;

import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.bind.annotation.PathVariable;

@RestController
@RequestMapping("/greeting")
public class GreetingController {

    @Secured("admin")
    @GetMapping
    public String hello() {
        return "hello";
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The easiest way to setup users and roles for our example is to use the <code>security-properties-file</code> extension. This extension essentially allows users and roles to be defined in the main Quarkus configuration file - <code>application.properties</code>.
For more information about this extension check <a href="security-properties">the associated guide</a>.
An example configuration would be the following:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="properties" class="language-properties hljs">quarkus.security.users.embedded.enabled=true
quarkus.security.users.embedded.plain-text=true
quarkus.security.users.embedded.users.scott=jb0ss
quarkus.security.users.embedded.roles.scott=admin,user
quarkus.security.users.embedded.users.stuart=test
quarkus.security.users.embedded.roles.stuart=user</code></pre>
</div>
</div>
<div class="paragraph">
<p>Note that the test also needs to be updated. It could look like:</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="greetingcontrollertest-2"><a class="anchor" href="#greetingcontrollertest-2"></a>GreetingControllerTest</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.spring.security;

import io.quarkus.test.junit.QuarkusTest;
import org.junit.jupiter.api.Test;

import static io.restassured.RestAssured.given;
import static org.hamcrest.CoreMatchers.is;

@QuarkusTest
public class GreetingControllerTest {

    @Test
    public void testHelloEndpointForbidden() {
        given().auth().preemptive().basic("stuart", "test")
                .when().get("/greeting")
                .then()
                .statusCode(403);
    }

    @Test
    public void testHelloEndpoint() {
        given().auth().preemptive().basic("scott", "jb0ss")
                .when().get("/greeting")
                .then()
                .statusCode(200)
                .body(is("hello"));
    }

}</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="test-the-changes"><a class="anchor" href="#test-the-changes"></a>Test the changes</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">Access allowed</dt>
<dd>
<p>Open your browser again to <a href="http://localhost:8080/greeting" class="bare">http://localhost:8080/greeting</a> and introduce <code>scott</code> and <code>jb0ss</code> in the dialog displayed.</p>
<div class="paragraph">
<p>The word <code>hello</code> should be displayed.</p>
</div>
</dd>
<dt class="hdlist1">Access forbidden</dt>
<dd>
<p>Open your browser again to <a href="http://localhost:8080/greeting" class="bare">http://localhost:8080/greeting</a> and let empty the dialog displayed.</p>
<div class="paragraph">
<p>The result should be:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-none hljs">Access to localhost was denied
You don't have authorization to view this page.
HTTP ERROR 403</code></pre>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="run-the-application-as-a-native-executable"><a class="anchor" href="#run-the-application-as-a-native-executable"></a>Run the application as a native executable</h2>
<div class="sectionbody">
<div class="paragraph">
<p>You can of course create a native image using the instructions of the <a href="building-native-image">Building a native executable guide</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="supported-spring-security-functionalities"><a class="anchor" href="#supported-spring-security-functionalities"></a>Supported Spring Security functionalities</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Quarkus currently only supports a subset of the functionalities that Spring Security provides with more features being planned. More specifically, Quarkus supports the security related features of role-based authorization semantics
(think of <code>@Secured</code> instead of <code>@RolesAllowed</code>).</p>
</div>
<div class="sect2">
<h3 id="annotations"><a class="anchor" href="#annotations"></a>Annotations</h3>
<div class="paragraph">
<p>The table below summarizes the supported annotations:</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<caption class="title">Table 1. Supported Spring Security annotations</caption>
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Name</th>
<th class="tableblock halign-left valign-top">Comments</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">@Secured</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">@PreAuthorize</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">See next section for more details</p></td>
</tr>
</tbody>
</table>
<div class="sect3">
<h4 id="preauthorize"><a class="anchor" href="#preauthorize"></a>@PreAuthorize</h4>
<div class="paragraph">
<p>Quarkus provides support for some of the most used features of Spring Security&#8217;s <code>@PreAuthorize</code> annotation.
The expressions that are supported are the following:</p>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">hasRole</dt>
<dd>
<div class="paragraph">
<p>To test if the current user has a specific role, the <code>hasRole</code> expression can be used inside <code>@PreAuthorize</code>.</p>
</div>
<div class="paragraph">
<p>Some examples are: <code>@PreAuthorize("hasRole('admin')")</code>, <code>@PreAuthorize("hasRole(@roles.USER)")</code> where the <code>roles</code> is a bean that could be defined like so:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">import org.springframework.stereotype.Component;

@Component
public class Roles {

    public final String ADMIN = "admin";
    public final String USER = "user";
}</code></pre>
</div>
</div>
</dd>
<dt class="hdlist1">hasAnyRole</dt>
<dd>
<p>In the same fashion as <code>hasRole</code>, users can use <code>hasAnyRole</code>  to check if the logged in user has any of the specified roles.</p>
<div class="paragraph">
<p>Some examples are: <code>@PreAuthorize("hasAnyRole('admin')")</code>, <code>@PreAuthorize("hasAnyRole(@roles.USER, 'view')")</code></p>
</div>
</dd>
<dt class="hdlist1">permitAll</dt>
<dd>
<p>Adding <code>@PreAuthorize("permitAll()")</code> to a method will ensure that that method is accessible by any user (including anonymous users). Adding it to a class will ensure that all public methods
of the class that are not annotated with any other Spring Security annotation will be accessible.</p>
</dd>
<dt class="hdlist1">denyAll</dt>
<dd>
<p>Adding <code>@PreAuthorize("denyAll()")</code> to a method will ensure that that method is not accessible by any user. Adding it to a class will ensure that all public methods
of the class that are not annotated with any other Spring Security annotation will not be accessible to any user.</p>
</dd>
<dt class="hdlist1">isAnonymous</dt>
<dd>
<p>When annotating a bean method with <code>@PreAuthorize("isAnonymous()")</code> the method will only be accessible if the current user is anonymous - i.e. a non logged in user.</p>
</dd>
<dt class="hdlist1">isAuthenticated</dt>
<dd>
<p>When annotating a bean method with <code>@PreAuthorize("isAuthenticated()")</code> the method will only be accessible if the current user is a logged in user. Essentially the
method is only unavailable for anonymous users.</p>
</dd>
<dt class="hdlist1">#paramName == authentication.principal.username</dt>
<dd>
<p>This syntax allows users to check if a parameter (or a field of the parameter) of the secured method is equal to the logged in username.</p>
<div class="paragraph">
<p>Examples of this use case are:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">public class Person {

    private final String name;

    public Person(String name) {
        this.name = name;
    }

    public String getName() {
        return name;
    }
}

@Component
public class MyComponent {

    @PreAuthorize("#username == authentication.principal.username") <i class="conum" data-value="1"></i><b>(1)</b>
    public void doSomething(String username, String other){

    }

    @PreAuthorize("#person.name == authentication.principal.username") <i class="conum" data-value="2"></i><b>(2)</b>
    public void doSomethingElse(Person person){

    }
}</code></pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td><code>doSomething</code> can be executed if the current logged in user is the same as the <code>username</code> method parameter</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td><code>doSomethingElse</code> can be executed if the current logged in user is the same as the <code>name</code> field of <code>person</code> method parameter</td>
</tr>
</table>
</div>
<div class="admonitionblock tip">
<table>
<tr>
<td class="icon">
<i class="fa icon-tip" title="Tip"></i>
</td>
<td class="content">
the use of <code>authentication.</code> is optional, so using <code>principal.username</code> has the same result.
</td>
</tr>
</table>
</div>
</dd>
<dt class="hdlist1">#paramName != authentication.principal.username</dt>
<dd>
<p>This is similar to the previous expression with the difference being that the method parameter must be different than the logged in username.</p>
</dd>
<dt class="hdlist1">@beanName.method()</dt>
<dd>
<p>This syntax allows developers to specify that the execution of method of a specific bean will determine if the current user can access the secured method.</p>
<div class="paragraph">
<p>The syntax is best explained with an example.
Let&#8217;s assume that a <code>MyComponent</code> bean has been created like so:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">@Component
public class MyComponent {

    @PreAuthorize("@personChecker.check(#person, authentication.principal.username)")
    public void doSomething(Person person){

    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The <code>doSomething</code> method has been annotated with <code>@PreAuthorize</code> using an expression that indicates that method <code>check</code> of a bean named <code>personChecker</code> needs
to be invoked to determine whether the current user is authorized to invoke the <code>doSomething</code> method.</p>
</div>
<div class="paragraph">
<p>An example of the <code>PersonChecker</code> could be:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">@Component
public class PersonChecker {

    @Override
    public boolean check(Person person, String username) {
        return person.getName().equals(username);
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>Note that for the <code>check</code> method the parameter types must match what is specified in <code>@PreAuthorize</code> and that the return type must be a <code>boolean</code>.</p>
</div>
</dd>
</dl>
</div>
<div class="sect4">
<h5 id="combining-expressions"><a class="anchor" href="#combining-expressions"></a>Combining expressions</h5>
<div class="paragraph">
<p>The <code>@PreAuthorize</code> annotations allows for the combination of expressions using logical <code>AND</code> / <code>OR</code>. Currently there is a limitation where only a single
logical operation can be used (meaning mixing <code>AND</code> and <code>OR</code> isn&#8217;t allowed).</p>
</div>
<div class="paragraph">
<p>Some examples of allowed expressions are:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">    @PreAuthorize("hasAnyRole('user', 'admin') AND #user == principal.username")
    public void allowedForUser(String user) {

    }

    @PreAuthorize("hasRole('user') OR hasRole('admin')")
    public void allowedForUserOrAdmin() {

    }

    @PreAuthorize("hasAnyRole('view1', 'view2') OR isAnonymous() OR hasRole('test')")
    public void allowedForAdminOrAnonymous() {

    }</code></pre>
</div>
</div>
<div class="paragraph">
<p>Also to be noted that currently parentheses are not supported and expressions are evaluated from left to right when needed.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="important-technical-note"><a class="anchor" href="#important-technical-note"></a>Important Technical Note</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Please note that the Spring support in Quarkus does not start a Spring Application Context nor are any Spring infrastructure classes run.
Spring classes and annotations are only used for reading metadata and / or are used as user code method return types or parameter types.
What that means for end users, is that adding arbitrary Spring libraries will not have any effect. Moreover Spring infrastructure
classes (like <code>org.springframework.beans.factory.config.BeanPostProcessor</code> for example) will not be executed.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="conversion-table"><a class="anchor" href="#conversion-table"></a>Conversion Table</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The following table shows how Spring Security annotations can be converted to JAX-RS annotations.</p>
</div>
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 33.3333%;">
<col style="width: 33.3333%;">
<col style="width: 33.3334%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Spring</th>
<th class="tableblock halign-left valign-top">JAX-RS</th>
<th class="tableblock halign-left valign-top">Comments</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock">@Secured("admin")</p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">@RolesAllowed("admin")</p></td>
<td class="tableblock halign-left valign-top"></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="sect1">
<h2 id="more-spring-guides"><a class="anchor" href="#more-spring-guides"></a>More Spring guides</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Quarkus has more Spring compatibility features. See the following guides for more details:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="spring-di">Quarkus - Extension for Spring DI</a></p>
</li>
<li>
<p><a href="spring-web">Quarkus - Extension for Spring Web</a></p>
</li>
<li>
<p><a href="spring-data-jpa">Quarkus - Extension for Spring Data JPA</a></p>
</li>
<li>
<p><a href="spring-cloud-config-client">Quarkus - Reading properties from Spring Cloud Config Server</a></p>
</li>
<li>
<p><a href="spring-boot-properties">Quarkus - Extension for Spring Boot properties</a></p>
</li>
<li>
<p><a href="spring-cache">Quarkus - Extension for Spring Cache</a></p>
</li>
<li>
<p><a href="spring-scheduled">Quarkus - Extension for Spring Scheduled</a></p>
</li>
</ul>
</div>
</div>
</div>
    </div>
  </div>
</div>

  </div>

  <div class="content project-footer">
  <div class="footer-section">
    <div class="logo-wrapper">
      <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_reverse.svg" class="project-logo" title="Quarkus"></a>
    </div>
  </div>
  <div class="grid-wrapper">
    <p class="grid__item width-3-12">Quarkus is open. All dependencies of this project are available under the <a href='https://www.apache.org/licenses/LICENSE-2.0' target='_blank'>Apache Software License 2.0</a> or compatible license.<br /><br />This website was built with <a href='https://jekyllrb.com/' target='_blank'>Jekyll</a>, is hosted on <a href='https://pages.github.com/' target='_blank'>Github Pages</a> and is completely open source. If you want to make it better, <a href='https://github.com/quarkusio/quarkusio.github.io' target='_blank'>fork the website</a> and show us what you’ve got.</p>

    
      <div class="width-1-12 project-links">
        <span>Navigation</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="/">Home</a></li>
          
            <li><a href="/guides">Guides</a></li>
          
            <li><a href="/community/#contributing">Contribute</a></li>
          
            <li><a href="/faq">FAQ</a></li>
          
            <li><a href="/get-started">Get Started</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Contribute</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://twitter.com/quarkusio">Follow us</a></li>
          
            <li><a href="https://github.com/quarkusio">GitHub</a></li>
          
            <li><a href="/security">Security&nbsp;policy</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Get Help</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://groups.google.com/forum/#!forum/quarkus-dev">Forums</a></li>
          
            <li><a href="https://quarkusio.zulipchat.com">Chatroom</a></li>
          
        </ul>
      </div>
    

    
      <div class="width-3-12 more-links">
        <span>Quarkus is made of community projects</span>
        <ul class="footer-links">
          
            <li><a href="https://vertx.io/" target="_blank">Eclipse Vert.x</a></li>
          
            <li><a href="https://microprofile.io" target="_blank">Eclipse MicroProfile</a></li>
          
            <li><a href="https://hibernate.org" target="_blank">Hibernate</a></li>
          
            <li><a href="https://netty.io" target="_blank">Netty</a></li>
          
            <li><a href="https://resteasy.github.io" target="_blank">RESTEasy</a></li>
          
            <li><a href="https://camel.apache.org" target="_blank">Apache Camel</a></li>
          
            <li><a href="https://code.quarkus.io/" target="_blank">And many more...</a></li>
          
        </ul>
      </div>
    
  </div>
</div>
  <div class="content redhat-footer">
  <div class="grid-wrapper">
    <span class="licence">
      <i class="fab fa-creative-commons"></i><i class="fab fa-creative-commons-by"></i> <a href="https://creativecommons.org/licenses/by/3.0/" target="_blank">CC by 3.0</a> | <a href="https://www.redhat.com/en/about/privacy-policy">Privacy Policy</a>
    </span>
    <span class="redhat">
      Sponsored by
    </span>
    <span class="redhat-logo">
      <a href="https://www.redhat.com/" target="_blank"><img src="/assets/images/redhat_reversed.svg"></a>
    </span>
  </div>
</div>


  <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js" integrity="sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx" crossorigin="anonymous"></script>
  <script type="text/javascript" src="/assets/javascript/mobile-nav.js"></script>
  <script type="text/javascript" src="/assets/javascript/scroll-down.js"></script>
  <script src="/assets/javascript/satellite.js" type="text/javascript"></script>
  <script src="https://quarkus.io/guides/javascript/config.js" type="text/javascript"></script>
  <script src="/assets/javascript/search-filter.js" type="text/javascript"></script>
  <script src="/assets/javascript/back-to-top.js" type="text/javascript"></script>
</body>

</html>
